Add secret producer/receiver and docker credential helper by pantherman594 · Pull Request #381 · verily-src/workbench-app-devcontainers

pantherman594 · 2026-04-23T21:01:52Z

See linked verily1 PR for ordering of when the scripts will be called.

docker-auth-secrets.sh registers docker-credential-workbench-secret to be used when pulling a package from one of the "dockerRepository" secrets. This must be called after git-clone-devcontainer since it needs to read the secret from the devcontainer directory
docker-credential-secrets.sh is the script behind docker-credential-workbench-secret (the docker-credential scripts are just a thin wrapper providing the resource path)
provide-secrets.sh fetches secrets configured in secrets.yml and passes them to the app. This is the "Secret Provider" in the design doc
secret-receiver receives the secret values and directs them to environment variables or file descriptors for the app to read
vscode-secrets is a sample vscode app that reads a secret named example-secret and stores it in environment variable EXAMPLE_SECRET

pantherman594 force-pushed the consume-secret branch 6 times, most recently from 04fa6a5 to 82a8e91 Compare April 27, 2026 16:59

pantherman594 added 5 commits April 27, 2026 13:00

Add secret producer/receiver and docker credential helper

fcbd3db

Allow specifying allowedSecrets section to whitelist

a97cebb

Lint, shellcheck

b64cdba

Timeout when writing to pipe

ac59dcc

Trim down test app, test secret receiver logic

565aef7

pantherman594 mentioned this pull request Apr 27, 2026

Tests refactoring #383

Open

pantherman594 changed the base branch from master to test-pre-post-script April 27, 2026 17:16

pantherman594 force-pushed the consume-secret branch from 82a8e91 to 565aef7 Compare April 27, 2026 17:16

Provide feedback